Category: Monthly notes

Spring is just around the corner with sun warming our souls and calling us to go outside. Here’s monthly notes for March with topics from software development rewrite stories to code quality and OWASP videos.

I ruin developers’ lives with my code reviews and I'm sorry Story of how a developer understood that "I don’t do code review for the business, I just like showing the rookies their place. My skills have finally started to pay off." And that the mentality should be "No big deal if the code’s not good, I can fix it myself it I need to. But I can’t fix the psyche of a guy broken by dozens of harsh reviews."

Code quality

SE-Radio Episode 357: Adam Barr on Code QualitySoftware Engineerin Radio talked with Adam Barr, author of "Why Smart Engineers Write Bad Code" about code quality. How developers learn to program on their own; how that influences their thinking about code quality; what code quality is, how is can (or cannot) be measured and whether some programming languages are more prone to bad code. The discussion continues with a discussion on standardization. Why does our profession lack a professional certificate like doctors and engineers have?

Security

The Anatomy of an AWS Key Leak to a Public Code RepositoryMany of us working with any cloud provider know that you should never ever commit access keys to a public github repo. Some really bad things can happen if you do. The writeup shows you a real case that happened last week. tl;dr; Exposed keys are quickly attacked. The concept of least privilege is important. AWS scrapes the API of all public github commits but doesn't automatically disable the key. To prevent keys leaking use tools like git-secrets or GitGuardian.

Password Managers: Under the Hood of Secrets Management Password managers allow the storage and retrieval of sensitive information from an encrypted database. The paper proposes security guarantees password managers should offer and examines the underlying workings of five popular password managers targeting the Windows 10 platform: 1Password 7, 1Password 4, Dashlane, KeePass, and LastPass. They found that in all password managers we examined, trivial secrets extraction was possible from a locked password manager, including the master password in some cases.

AI and Machine Learning

Something different

The Privateer is back for Season 2Behind every top level athlete is a support team that helps them with everything from diet and exercise to product and equipment set up. When you're a Privateer it's up to you to fund your racing endeavours. Adam is back for another season of racing as The Privateer.

Warm weather and cold Northern winds just call for a warm mug of cacao and something to read by the fireplace. Here's monthly notes for February with topics from testing to software development project guidelines and from microservices to tips and tools. Also learning React App.

Issue 38, 19.02.2019

Testing

How to stop hating your testsI'm not a fan of extensive ui tests. I think they should be mostly about seeing that the whole system functions when all systems are integrated and functional. This talk makes a good case out of it. If you want to skip right to this subject, it starts around at 18:50 or so.

Software development

My Opinionated Setup for Web Projects"During the past few years, I have worked on multiple smaller and larger projects. In this blog post I explain my default project setup for a typical web frontend project."

Project Guidelines"While developing a new project is like rolling on a green field for you, maintaining it is a potential dark twisted nightmare for someone else. Here's a list of guidelines we've found, written and gathered that (we think) works really well with most JavaScript projects here at elsewhen."

Microservices

Building Microservices: Designing fine-grained systems (pdf)"Distributed systems have become more fine-grained in the past 10 years, shifting from code-heavy monolithic applications to smaller, self-contained microservices. But developing these systems brings its own set of headaches. With lots of examples and practical advice, this book takes a holistic view of the topics that system architects and administrators must consider when building, managing, and evolving microservice architectures."

Microservices vs The World"In the last 5 years microservices have been pretty much the topic on every architectural conversation. The idea is great, small, independent, cohesive, services that can be implemented, tested, maintained and released individually without much impact on the rest of the system. Microservices are then the holy grail of architectures all positives and almost zero negatives. If that is the case, why in the last 2-3 years our holy grail is getting bad press? Some engineers even suggest that a monolith is better. How can a monolith be better? Well, it all comes down to pros and cons and how the business is structured."

Microservices architecture on paper sounds amazing but unless the business as a whole is not committed to it, then your department will end up with low morale, low productivity, and tones of code debt.

Tools of trade

DockStation"Application for managing projects based on Docker. Instead of lots of CLI commands you can monitor, configure, and manage services and containers while using just a GUI." See running containers in histogram-type grapsh, monitor stats, connect with ssh to remote hosts, start/stop containers.

Scrolling inside ScreenDisable the alternate text buffer in the xterm termcap info inside screen so that you can use the scroll bars (and mouse wheel) to scroll up and down.

Something different

Holiday season is soon here and it's good to take a short break from work and maybe learn or code some new things while relaxing and enjoying the winter time outside. Here's the monthly notes for December. Happy holidays!

Issue 36, 21.12.2018

Tips

Learning

Tips of ppl who want to learn
ReaktorNow Development Discussion campaign shared some insights in the field of software engineering. "Always keep learning and expanding your skills, and remember to step out of your comfort zone."

A novice’s guide to learning to code with CS50
"CS50 is the best learning experience I have ever had in my life." Over 12 weeks you get two hour lecture to watch and a problem set for you to complete each week. Start with Scratch, continue on C and move to Python plus HTML, CSS, SQL, JavaScript, JQuery and JSON. (from @walokra)

Security

Taking Down an Insider Threat
Excellent story about pentesting from the inside. And of great digital forensics and incident response team and meticulously implemented security practices.

Software development

Everything about distributed systems is terrible
Hillel Wayne 38 minutes talk at Code Mesh LDN 18 titled "Everything about distributed systems is terrible" talks about TLA+, formal specification system designed by Leslie Lamport. The claim is that you can find bugs in your (distributed) system by model checking that could be practically impossible to find with testing or in production.

December is just around the corner but before that here's monthly notes for November. More about leadership and stories, something about software development.

Issue 35, 13.11.2018

Frontend

CSS and Network Performance
What are best network performance practices when it comes to loading CSS? How can we get to Start Render most quickly? Good article of how your page will only render as quickly as your slowest stylesheet. And what to do about it. tl;dr; "Lazyload any CSS not needed for Start Render", "Avoid @import", "Be wary of synchronous CSS and JavaScript order", "Load CSS as the DOM needs it". (from @csswizardy)

Bash-it
Bash-it is a collection of community Bash commands and scripts for Bash 3.2+. (And a shameless ripoff of oh-my-zsh?). Includes autocompletion, themes, aliases, custom functions, a few stolen pieces from Steve Losh, and more.

Leadership

Managing with the Brain in Mind
"Treat people fairly, draw people together to solve problems, promote entrepreneurship and autonomy, foster certainty wherever possible, and find ways to raise the perceived status of everyone". Good read about SCARF. (from @walokra)

On Being A Senior Engineer
What makes for a good senior engineer? tl;dr; Be mature engineer. Good read for everyone regardless of the line of business.

Seek out constructive criticism of their designs.

Understand the non-technical areas of how they are perceived.

Do not shy away from making estimates, and are always trying to get better at it.

Have an innate sense of anticipation, even if they don’t know they do.

Understand that not all of their projects are filled with rockstar-on-stage work.

Something different

You work to live, not live to work
Remember, your job is not your life. You work to live, not live to work. Work on what makes you happy and not burn yourself out. Thread has good tips to recognize it and take control. (from @jevakallio)

Autumn is well on it's way and winds are bringing rains and clouds to the sky. Autumn also means that meetups are awaken and interesting stories from the field are presented. Here's monthly notes for September. Start with writing readable code, continue to build React app with TypeScript, read how hacker puzzles can be solved and improve your designs with tactics instead of talent. Also use smarted command line tools and listen a Kubernetes security journey.

Issue 34, 29.9.2018

Software Development

10 practices for writing readable code
Writing readable code may seem subjective but there are core elements within all code which make it readable. Follow these 10 practices. Although I don't quite agree with removing comments ?
(from @walokra)

Software disenchantment
"As engineers, we can, and should, and will do better. Have better tools, build better apps, faster, more predictable, more reliable, using fewer resources". But on the other hand people won’t pay for efficiency. They buy solutions to their problems. (from @walokra)

JavaScript

Fullstack Express-React App With TypeScript
Have you thought about starting a React app with TypeScript and integrating it with Travis CI and Heroku? Read this definitive guide and check the source of a starter kit for a full stack express-react app. (from @walokra)

Solving the Disobey 2018 puzzle
Great writeup of solving the Disobey.fi 2019 hacker ticket puzzle. Shows you some tools and techniques you can use to progress with these kind of puzzles. Contains spoilers, so steer clear if you want the fulfilment and bliss that comes from solving it. (from @walokra)

This talk is about you [React Native Developer] (video)
Life of a React Native developer? Jani Eväkallio talks about you at React Native EU 2018. When building software products we're focused on "how" but should ask also "what" and "why". Not just be happy when tickets move from left to right side of the screen. (from @walokra)

Microservices

Design

7 Practical Tips for Cheating at Design
"Improving your designs with tactics instead of talent." Every web developer inevitably runs into situations where they need to make visual design decisions, whether they like it or not. There are a ton of tricks you can use to level up your work that don’t require a background in graphic design. Here are seven simple ideas you can use to improve your designs today.

Tools of the trade

CLI: improved
Command line is powerful tool but the common tools can be improved. Remy Sharp wrote his current list of improved CLI tools.

Summer has turned to Autumn and it begins to show in the weather. Sun is setting earlier and soon it's dark almost from dawn to dusk, rain clouds are gathering in the sky with cold winds. Good time to stay inside and read some articles and learn new things. Here's the monthly notes for August.

Issue 33, 28.8.2018

Learning

Elements of Artificial Intelligence free online course
"Do you wonder what AI really means? Are you thinking about the kind of impact AI might have on your job or life? Do you want to understand how AI will develop and affect us in the coming years? Then this is the course for you!"

Microservices and cloud

Docker Pattern: The Build Container
Let’s say that you’re developing a microservice in a compiled language or an interpreted language that requires some additional “build” steps to package and lint your application code. This is a useful docker pattern for the "build" container.

Experiences with running PostgreSQL on Kubernetes
Gravitational CTO, Sasha Klizhentas, tells about his experience running PostgreSQL on Kubernetes. The challenges involved, open source and commercial tools that can help and other alternatives to managing stateful applications on Kubernetes.

Google Cloud Platform - The Good, Bad, and Ugly (It's Mostly Good)
Deps developer tells his thoughts about Google Cloud Platform and splits them into good, meh, bad, ugly, and opportunities for improvement. He compares and contrasts with Amazon Web Services (AWS), the other hosting provider that he has the most experience with, and GCP's biggest competitor.

Goodbye Microservices: From 100s of problem children to 1 superstar
Segment's story of going to microservices architecture and back. "When deciding between microservices or a monolith, there are different factors to consider with each. In some parts of our infrastructure, microservices work well but our server-side destinations were a perfect example of how this popular trend can actually hurt productivity and performance. It turns out, the solution for us was a monolith."

Development

Have you ever needed to generate a random number in code?
Have you ever needed to generate a random number in code? whether it's for rolling a dice, or shuffling a set, this tweet thread is here for you! There's no reason that it should be easy or obvious, very experienced programmers repeat common mistakes. I did, before I learned ... from (@colmmacc)

Tools of the trade

Semantic Commit Messages
See how a minor change to your commit message style can make you a better programmer. Format: <type>(<scope>): <subject>. <scope> is optional.

Something different

The Psychology of Money"Let me tell you the story of two investors, neither of whom knew each other, but whose paths crossed in an interesting way."

Summer season is heating up and here's the monthly notes for July. Something about JavaScript, little bit of design, touch of privacy and tools of the trade.

Issue 32, 23.7.2018

JavaScript

Defining Component APIs in React
Collects some of the best practices for working with React. "The following is a collection of thoughts, opinions, and advice for defining component APIs that are meant to be more flexible, composable, and easier to understand. None of these are hard-and-fast rules, but they’ve helped guide the way I think about organizing and creating components." (from Weekend reading)

TIL: node-jsmin (port of Crockford's JSMin) was dropped from a lot of places as modified MIT license with "The Software shall be used for Good, not Evil" is not compliant with definition of open source software which doesn't permit any restriction on how software may be used. (from @walokra)

Microservices

Introducing Jib — build Java Docker images better
"Jib, an open-source Java containerizer from Google that lets Java developers build containers using the Java tools they know. Jib is a fast and simple container image builder that handles all the steps of packaging your application into a container image. It does not require you to write a Dockerfile or have docker installed, and it is directly integrated into Maven and Gradle."

Little known trick: the <script> tag in html runs the code inside, and also hides it using css display:none. But I can change that to display:block, so that I can show sample code to the reader and also run it on the page to generate diagrams. (need to test across browsers). This also applies to <style> tags, where you can also use contentEditable to create a live editable css of the page you are on. (from @ Amit Patel)

Tools of the trade

Browsh
Terminal-based web browser renders everything a modern browser can (HTML5, CSS3, JS, video, even WebGL). Use case: run the browser in a data center with fast internet, and access it over SSH from a device that has slow/limited internet. (from Weekend reading)

"petition to make "paste and match formatting" the default paste option"

Privacy

Riot Games Approach to Anti-Cheat
Riot Games published an article about their anti-cheating methods – nothing really fancy or new but, in the Hacker News thread there was an interesting comment by a cheat writer:

"The current Mac game client for League Of Legends contains full debug symbols and it doesn't have Packman (the packer described in this article), which makes it quite easy to look through the symbols. Inside you can find all of the anti-cheat-related network packets. Now, I personally expect anti-cheat to snoop around my system when I'm doing something shady like scanning its memory. However, if I was a normal user of the game, I would be a bit concerned to know that it might be sending my recently used file names, drive names, system driver names, currently running processes, processor information, system state, and even entire binary files that it automatically deems as "suspicious", to their servers."

@aral and maya kosoff: "X is a service that enables you to control articles presented to your wife on the websites she usually visits, in order to influence her on a subconscious level to initiate sex. The best bit? It's "just" adtech. It's retargeting. It's how Google makes money." Also suggested use cases are "get your kid a dog" or "stop drinking" which eems to open up a whole new acquaintance micromarketing concept. Makes you think how you're influenced and by whom.

@dhh
"Imgur's fake adherence to GDPR is exactly the kind of transgression that should trigger those multi-million euro fines. There are literally HUNDREDS and HUNDREDS of shady services getting your data. Only bulk link is to ALLOW ALL, which is also default. Tons you can't opt-out. ?"

Something different

StemCAPtain
"The StemCAPtain replaces the stem cap, aka top cap, piece of a threadless 1" or 1 1/8" headset with different functional accessories. In addition to the simple and elegant analog clock, we offer a thermometer, bottle opener, picture frame, compass, GPS mount, and USB charger"

The first part of Summer has been great and holiday season is near. Here's monthly notes for June with topics of microservices, kubernetes, design patterns and stories of how Shopify and Airbnb build their services. Also some tools like Kap. Happy reading.

Issue 31, 28.6.2018

Microservices

7 tips for effective microservices
"Have a request-id/correlation-id for every request, Maintain backward compatibility of interfaces, Have a centralized logging system, Implement idempotency and retries, Be aware of language constraints, Have a single service to manage the system state, Strike a balance between in-memory-data and db persistence" (from The Microservice Weekly)

Kubernetes

AWS Workshop for Kubernetes
"Self-paced workshop designed for Development and Operations teams who would like to leverage Kubernetes on Amazon Web Services (AWS)."

iOS

xcprojectlint: A security blanket for Xcode project files
Would you like to automate some consistency in your Xcode project files with checks for settings defined at the project level (rather than in an xcconfig), missing files and empty file groups? This tool does exactly that, and more. Also, I like the way it's described: "Provides a security blanket, ensuring neither your co-workers, nor git screw up your Xcode project file." (from iOS Dev Weekly 353)

Tools

How others are doing things

Shopify Infrastructure with Niko Kurtti
"Shopify has built its own platform-as-a-service on top of Kubernetes called Cloudbuddies. Niko Kurtti is a production engineer at Shopify joins the Software Engineering Daily show to describe Shopify’s infrastructure – how they run so many stores, how they distribute those stores across their infrastructure, and the motivation for building their own internal platform on top of Kubernetes."

Building Services at Airbnb, Part 1
The first in a series on scaling service development, this article looks at the core structure, the Service IDL, underpinning the new Services Oriented Architecture at Airbnb.

Building Services at Airbnb, Part 2
The second in a series on scaling service development, this article looks at some of the key tooling that supports the new Services Oriented Architecture at Airbnb.

Awesome design patterns
A curated list of software and architecture related design patterns. Software design pattern - A general, reusable solution to a commonly occurring problem within a given context in software design. It is a description or template for how to solve a problem that can be used in many different situations.

Something Different

Cool Backgrounds
Collection of tools to create compelling, colorful images for blogs, social media, and websites. Beyond backgrounds, the images generated can be used as ? desktop wallpapers or cropped for ? mobile wallpapers.

Summer is approaching and even in Finland the weather is sunny and warm. I've been busy as the Enduro-MTB racing season has started and most weekends are spent at the race track. But here's monthly notes for May with topics of state of the Web, how geolocation in browsers work, and something about tools. Happy reading.

Paw
Paw is a full-featured HTTP client that lets you test and describe the APIs you build or consume. It has a beautiful native macOS interface to compose requests, inspect server responses, generate client code and export API definitions.

JavaScript

`npm audit`: identify and fix insecure dependencies
"npm audit is a new command that performs a moment-in-time security review of your project’s dependency tree. Audit reports contain information about security vulnerabilities in your dependencies and can help you fix a vulnerability by providing simple-to-run npm commands and recommendations for further troubleshooting." (from JavaScript Daily)

Thinking

Something different

Unchained: A story of love, loss, and blockchain
> It was a smart contract that stipulated sexual fidelity and parental responsibilities. Tokens from their joint earnings paid the AI judges and IoT sensor oracles that monitored contract violations. On mornings like this, you really needed commitment that was mathematically provable, not just an empty promise at the altar.

This month's notes are about front-end technologies: Sneak peek beyound React 16 and videos from Vue and Angular conferences. Also CSS Blocks + OptiCSS is great and for us in EU it's nice that Fargate is finally available in Ireland. Check also list of important podcasts for software engineers.

Issue 29, 29.4.2018

Security

Computer security principles
One should keep in mind that there’s no such thing as perfect security. To put it another way, a 100% hack-safe systems do not exist. It’s all about the resources attacker(s) have, whether it is money, brain power, or equipment. Security standards and best practices changes quickly and therefore a system built five years ago is not inevitably conforming to current standards. So let’s look at some proactive measures that can be done to harden a system or code.

Deploying FARGATE services using CloudFormation
"TL;DR — Deploying Fargate services is not as straight forward as you may think, especially if you’re used to the current EC2 configuration and are now trying to migrate running services. I had to go through a couple of days and few dozens of CloudFormation deployment iterations to figure out my missing / wrong settings before I made it through my first running Fargate container."

Front-End

CSS at Scale: LinkedIn’s New Open Source Projects Take on Stylesheet Performance
"TL;DR: CSS Blocks + OptiCSS = :fire: So you get to write component-scoped CSS but end up with globally scoped, browser-friendly and compressed CSS classes (think atomic CSS). CSS Blocks does its magic with statically analyzing your markup and updating it with the new classes. It runs the OptiCSS as well, so you get tree-shaking and dead-code elimination also. Not 100% of the terms here, but basically unused code gets wiped."

Sneak Peek: Beyond React 16
Intriguing ~30min talk with demos of what the future of React might look like showing off the new capabilities that async rendering unlocks for your components. Time Slicing lets you render and update large React component trees without blocking the user interactions. Suspense lets you render a component tree “in background” while components are fetching data, and display them only after the whole tree is ready. (from Twitter)